Example 1 with AuthenticationHandler
use of org.apache.hadoop.security.authentication.server.AuthenticationHandler in project hadoop by apache.
the class DelegationTokenAuthenticationFilter method init.
@Override
public void init(FilterConfig filterConfig) throws ServletException {
super.init(filterConfig);
AuthenticationHandler handler = getAuthenticationHandler();
AbstractDelegationTokenSecretManager dtSecretManager = (AbstractDelegationTokenSecretManager) filterConfig.getServletContext().getAttribute(DELEGATION_TOKEN_SECRET_MANAGER_ATTR);
if (dtSecretManager != null && handler instanceof DelegationTokenAuthenticationHandler) {
DelegationTokenAuthenticationHandler dtHandler = (DelegationTokenAuthenticationHandler) getAuthenticationHandler();
dtHandler.setExternalDelegationTokenSecretManager(dtSecretManager);
}
if (handler instanceof PseudoAuthenticationHandler || handler instanceof PseudoDelegationTokenAuthenticationHandler) {
setHandlerAuthMethod(SaslRpcServer.AuthMethod.SIMPLE);
}
if (handler instanceof KerberosAuthenticationHandler || handler instanceof KerberosDelegationTokenAuthenticationHandler) {
setHandlerAuthMethod(SaslRpcServer.AuthMethod.KERBEROS);
}
// proxyuser configuration
Configuration conf = getProxyuserConfiguration(filterConfig);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf, PROXYUSER_PREFIX);
}
Also used :
KerberosAuthenticationHandler(org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler)
Configuration(org.apache.hadoop.conf.Configuration)
KerberosAuthenticationHandler(org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler)
PseudoAuthenticationHandler(org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler)
MultiSchemeAuthenticationHandler(org.apache.hadoop.security.authentication.server.MultiSchemeAuthenticationHandler)
AuthenticationHandler(org.apache.hadoop.security.authentication.server.AuthenticationHandler)
AbstractDelegationTokenSecretManager(org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager)
PseudoAuthenticationHandler(org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler)
Example 2 with AuthenticationHandler
use of org.apache.hadoop.security.authentication.server.AuthenticationHandler in project incubator-atlas by apache.
the class AtlasAuthenticationFilter method doKerberosAuth.
/**
* This method is copied from hadoop auth lib, code added for error handling and fallback to other auth methods
*
* If the request has a valid authentication token it allows the request to continue to the target resource,
* otherwise it triggers an authentication sequence using the configured {@link org.apache.hadoop.security.authentication.server.AuthenticationHandler}.
*
* @param request the request object.
* @param response the response object.
* @param filterChain the filter chain object.
*
* @throws IOException thrown if an IO error occurred.
* @throws ServletException thrown if a processing error occurred.
*/
public void doKerberosAuth(ServletRequest request, ServletResponse response, FilterChain filterChainWrapper, FilterChain filterChain) throws IOException, ServletException {
boolean unauthorizedResponse = true;
int errCode = HttpServletResponse.SC_UNAUTHORIZED;
AuthenticationException authenticationEx = null;
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
boolean isHttps = "https".equals(httpRequest.getScheme());
AuthenticationHandler authHandler = getAuthenticationHandler();
try {
boolean newToken = false;
AuthenticationToken token;
try {
token = getToken(httpRequest);
} catch (AuthenticationException ex) {
LOG.warn("AuthenticationToken ignored: {}", ex.getMessage());
// will be sent back in a 401 unless filter authenticates
authenticationEx = ex;
token = null;
}
if (authHandler.managementOperation(token, httpRequest, httpResponse)) {
if (token == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("Request [{}] triggering authentication", getRequestURL(httpRequest));
}
token = authHandler.authenticate(httpRequest, httpResponse);
if (token != null && token.getExpires() != 0 && token != AuthenticationToken.ANONYMOUS) {
token.setExpires(System.currentTimeMillis() + getValidity() * 1000);
}
newToken = true;
}
if (token != null) {
unauthorizedResponse = false;
if (LOG.isDebugEnabled()) {
LOG.debug("Request [{}] user [{}] authenticated", getRequestURL(httpRequest), token.getUserName());
}
final AuthenticationToken authToken = token;
httpRequest = new HttpServletRequestWrapper(httpRequest) {
@Override
public String getAuthType() {
return authToken.getType();
}
@Override
public String getRemoteUser() {
return authToken.getUserName();
}
@Override
public Principal getUserPrincipal() {
return (authToken != AuthenticationToken.ANONYMOUS) ? authToken : null;
}
};
if (newToken && !token.isExpired() && token != AuthenticationToken.ANONYMOUS) {
String signedToken = signer.sign(token.toString());
createAuthCookie(httpResponse, signedToken, getCookieDomain(), getCookiePath(), token.getExpires(), isHttps);
}
filterChainWrapper.doFilter(httpRequest, httpResponse);
}
} else {
unauthorizedResponse = false;
}
} catch (AuthenticationException ex) {
// exception from the filter itself is fatal
errCode = HttpServletResponse.SC_FORBIDDEN;
authenticationEx = ex;
LOG.warn("Authentication exception: {}", ex.getMessage(), ex);
}
if (unauthorizedResponse) {
if (!httpResponse.isCommitted()) {
createAuthCookie(httpResponse, "", getCookieDomain(), getCookiePath(), 0, isHttps);
// present.. reset to 403 if not found..
if ((errCode == HttpServletResponse.SC_UNAUTHORIZED) && (!httpResponse.containsHeader(KerberosAuthenticator.WWW_AUTHENTICATE))) {
errCode = HttpServletResponse.SC_FORBIDDEN;
}
if (authenticationEx == null) {
// added this code for atlas error handling and fallback
if (!supportKeyTabBrowserLogin && isBrowser(httpRequest.getHeader("User-Agent"))) {
filterChain.doFilter(request, response);
} else {
boolean chk = true;
Collection<String> headerNames = httpResponse.getHeaderNames();
for (String headerName : headerNames) {
String value = httpResponse.getHeader(headerName);
if (headerName.equalsIgnoreCase("Set-Cookie") && value.startsWith("ATLASSESSIONID")) {
chk = false;
break;
}
}
String authHeader = httpRequest.getHeader("Authorization");
if (authHeader == null && chk) {
filterChain.doFilter(request, response);
} else if (authHeader != null && authHeader.startsWith("Basic")) {
filterChain.doFilter(request, response);
}
}
} else {
httpResponse.sendError(errCode, authenticationEx.getMessage());
}
}
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AbstractAuthenticationToken(org.springframework.security.authentication.AbstractAuthenticationToken)
UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken)
AuthenticationToken(org.apache.hadoop.security.authentication.server.AuthenticationToken)
AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException)
HttpServletRequestWrapper(javax.servlet.http.HttpServletRequestWrapper)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
KerberosAuthenticationHandler(org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler)
AuthenticationHandler(org.apache.hadoop.security.authentication.server.AuthenticationHandler)
Principal(java.security.Principal)
Example 3 with AuthenticationHandler
use of org.apache.hadoop.security.authentication.server.AuthenticationHandler in project lucene-solr by apache.
the class HadoopAuthFilter method initializeAuthHandler.
@Override
protected void initializeAuthHandler(String authHandlerClassName, FilterConfig filterConfig) throws ServletException {
// set the internal authentication handler in order to record whether the request should continue
super.initializeAuthHandler(authHandlerClassName, filterConfig);
AuthenticationHandler authHandler = getAuthenticationHandler();
super.initializeAuthHandler(RequestContinuesRecorderAuthenticationHandler.class.getName(), filterConfig);
RequestContinuesRecorderAuthenticationHandler newAuthHandler = (RequestContinuesRecorderAuthenticationHandler) getAuthenticationHandler();
newAuthHandler.setAuthHandler(authHandler);
}
Also used :
AuthenticationHandler(org.apache.hadoop.security.authentication.server.AuthenticationHandler)
Example 4 with AuthenticationHandler
use of org.apache.hadoop.security.authentication.server.AuthenticationHandler in project incubator-atlas by apache.
the class AtlasAuthenticationFilter method getToken.
@Override
protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException {
AuthenticationToken token = null;
String tokenStr = null;
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) {
tokenStr = cookie.getValue();
try {
tokenStr = this.signer.verifyAndExtract(tokenStr);
} catch (SignerException ex) {
throw new AuthenticationException(ex);
}
}
}
}
if (tokenStr != null) {
token = AuthenticationToken.parse(tokenStr);
if (token != null) {
AuthenticationHandler authHandler = getAuthenticationHandler();
if (!token.getType().equals(authHandler.getType())) {
throw new AuthenticationException("Invalid AuthenticationToken type");
}
if (token.isExpired()) {
throw new AuthenticationException("AuthenticationToken expired");
}
}
}
return token;
}
Also used :
Cookie(javax.servlet.http.Cookie)
AbstractAuthenticationToken(org.springframework.security.authentication.AbstractAuthenticationToken)
UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken)
AuthenticationToken(org.apache.hadoop.security.authentication.server.AuthenticationToken)
AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException)
KerberosAuthenticationHandler(org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler)
AuthenticationHandler(org.apache.hadoop.security.authentication.server.AuthenticationHandler)
SignerException(org.apache.hadoop.security.authentication.util.SignerException)
Example 5 with AuthenticationHandler
use of org.apache.hadoop.security.authentication.server.AuthenticationHandler in project lucene-solr by apache.
the class KerberosFilter method initializeAuthHandler.
@Override
protected void initializeAuthHandler(String authHandlerClassName, FilterConfig filterConfig) throws ServletException {
// set the internal authentication handler in order to record whether the request should continue
super.initializeAuthHandler(authHandlerClassName, filterConfig);
AuthenticationHandler authHandler = getAuthenticationHandler();
super.initializeAuthHandler(RequestContinuesRecorderAuthenticationHandler.class.getName(), filterConfig);
RequestContinuesRecorderAuthenticationHandler newAuthHandler = (RequestContinuesRecorderAuthenticationHandler) getAuthenticationHandler();
newAuthHandler.setAuthHandler(authHandler);
}
Also used :
AuthenticationHandler(org.apache.hadoop.security.authentication.server.AuthenticationHandler)
Aggregations
AuthenticationHandler (org.apache.hadoop.security.authentication.server.AuthenticationHandler)6
KerberosAuthenticationHandler (org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler)3
AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)2
AuthenticationToken (org.apache.hadoop.security.authentication.server.AuthenticationToken)2
AbstractAuthenticationToken (org.springframework.security.authentication.AbstractAuthenticationToken)2
UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)2
Principal (java.security.Principal)1
Cookie (javax.servlet.http.Cookie)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
HttpServletRequestWrapper (javax.servlet.http.HttpServletRequestWrapper)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
Configuration (org.apache.hadoop.conf.Configuration)1
MultiSchemeAuthenticationHandler (org.apache.hadoop.security.authentication.server.MultiSchemeAuthenticationHandler)1
PseudoAuthenticationHandler (org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler)1
SignerException (org.apache.hadoop.security.authentication.util.SignerException)1
AbstractDelegationTokenSecretManager (org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager)1
